| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Dec 2008 14:14:58 +0100 From: "Sebastian Gottschall (DD-WRT) " <s.gottschall@...wrt.com> To: pUm <hijacka@...glemail.com> Cc: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com> Subject: Re: Multiple XSRF in DD-WRT (Remote Root Command Execution) all fixed images (for all platforms) are now provided here in our test folder http://www.dd-wrt.com/dd-wrtv2/down.php?path=downloads%2Fothers%2Feko%2FBrainSlayer-V24-preSP2%2F111208/ consider, before you advise to "not use" dd-wrt. all other major firmware distributions are affected by the same issue. this includes openwrt too Sebastian pUm schrieb: > this is no security flaw since you must be already logged in within > the webinterface of dd-wrt. otherwise this here will not work. we > already fixed this issue in our sourcetree > > as additional information. this is no dd-wrt specific issue. all other > firmware like openwrt etc. would suffer from it too. > > in fact. just a plain POST to a authenticated dd-wrt session. without > beeing logged in locally it would not have any effect > ----------------------------------- > > oh god - you dd-wrt people sucks so much. its unbelievable in which > way you are handling security advisories. if you would be able to make > a post without authentication it would be much worst. I would > recommend to read www.owasp.org > > another example for the bad security work of the dd-wrt guys are one > this forum post: > http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783&postdays=0&postorder=asc&start=0 > > bitmage discovered that in every fresh release and every custom > firewall two other rules are added in front of all. > the rules will allow every service on the dd-wrt router from the ip > 194.231.229.20 and from the ip 212.65.2.116 > > some workarounds exist, I didnt test any of them, because dd-wrt isnt > trustworth anymore for me. I can confirm this flaw in the latest > stable vpn release. > > please note the workarounds from the main developer from dd-wrt: > "even i see no reason for this. these ip addresses arent valid > anymore. it seems that chris implemented this for a customer. i > removed it now" (they are still in the default install image) > "nvram unset ral > nvram commit " > "there is no security hole. both ip's are not active anymore and > obsolete since a long time. " > "i will lock this thread now. a new release is scheduled soon (within > this or next week), but you cannot force me to release buggy code > based on the current internal tree.thats my last statement on this > topic" (Posted: Tue Aug 19, 2008 10:57 pm) > > I recommend everyone to not use dd-wrt anymore, at least as long as > they didnt change their politics and stops talking bullshit "there is > no security hole" > > cheers > > -- Mit freundlichen Grüssen / Regards Sebastian Gottschall / CTO NewMedia-NET GmbH - DD-WRT Firmensitz: Wormser Straße 5 - 7, 64625 Bensheim Registergericht: Amtsgericht Darmstadt, HRB 25473 Geschäftsführer: Peter Steinhäuser, Christian Scheele http://www.dd-wrt.com email: s.gottschall@...wrt.com Tel.: +496251-582650 / Fax: +496251-5826565
Powered by blists - more mailing lists